Article

Design space and analysis of worm defense strategies

Authors:

Pongsin Poosankam,

Dawn SongAuthors Info & Claims

ASIACCS '06: Proceedings of the 2006 ACM Symposium on Information, computer and communications security

Pages 125 - 137

https://doi.org/10.1145/1128817.1128837

Published: 21 March 2006 Publication History

Abstract

We give the first systematic investigation of the design space of worm defense system strategies. We accomplish this by providing a taxonomy of defense strategies by abstracting away implementation-dependent and approach-specific details and concentrating on the fundamental properties of each defense category. Our taxonomy and analysis reveals the key parameters for each strategy that determine its effectiveness. We provide a theoretical foundation for understanding how these parameters interact, as well as simulation-based analysis of how these strategies compare as worm defense systems. Finally, we offer recommendations based upon our taxonomy and analysis on which worm defense strategies are most likely to succeed. In particular, we show that a hybrid approach combining Proactive Protection and Reactive Antibody Defense is the most promising approach and can be effective even against the fastest worms such as hitlist worms. Thus, we are the first to demonstrate with theoretic and empirical models which defense strategies will work against the fastest worms such as hitlist worms.

References

[1]

PaX. http://pax.grsecurity.net/.

[2]

E. G. Barrantes, D. H. Ackley, S. Forrest, T. S. Palmer, D. Stefanovic, and D. D. Zovi. Intrusion detection: Randomized instruction set emulation to disrupt binary code injection attacks. In 10th ACM International Conference on Computer and Communications Security (CCS), October 2003.

Digital Library

[3]

E. G. Barrantes, D. H. Ackley, S. Forrest, and D. Stefanovic. Randomized instruction set emulation. ACM Transactions on Information and System Security, 8(1):3--40, 2005.

Digital Library

[4]

S. Bhatkar, D. C. DuVarney, and R. Sekar. Address obfuscation: An efficient approach to combat a broad range of memory error exploits. In Proceedings of 12th USENIX Security Symposium, 2003.

Digital Library

[5]

S. Bhatkar, R. Sekar, and D. C. DuVarney. Efficient techniques for comprehensive protection from memory error exploits. In Proceedings of the 14th USENIX Security Symposium, 2005.

Digital Library

[6]

Z. Chen, L. Gao, and K. Kwiat. Modeling the spread of active worms. 2003.

[7]

M. Chew and D. Song. Mitigating buffer overflows by operating system randomization. Technical report, Carnegie Mellon University, 2002.

[8]

C. Cowan, S. Beattie, J. Johansen, and P. Wagle. Pointguard: Protecting pointers from buffer overflow vulnerabilities. In Proceedings of the 12th USENIX Security Symposium, 2003.

Digital Library

[9]

D. C. DuVarney, R. Sekar, and Y.-J. Lin. Benign software mutations: A novel approach to protect against large-scale network attacks. Center for Cybersecurity White Paper, October 2002.

[10]

S. Forrest, A. Somayaji, and D. H. Ackley. Building diverse computer systems. In Proceedings of 6th workshop on Hot Topics in Operating Systems, 1997.

Digital Library

[11]

H. W. Hethcote. The Mathematics of Infectious Diseases. SIAM Review, 42(4):599--653, 2000.

Digital Library

[12]

G. S. Kc, A. D. Keromytis, and V. Prevelakis. Countering code-injection attacks with instruction-set randomization. In 10th ACM International Conference on Computer and Communications Security (CCS), October 2003.

Digital Library

[13]

H.-A. Kim and B. Karp. Autograph: toward automated, distributed worm signature detection. In Proceedings of the 13th USENIX Security Symposium, August 2004.

Digital Library

[14]

C. Kreibich and J. Crowcroft. Honeycomb - creating intrusion detection signatures using honeypots. In Proceedings of the Second Workshop on Hot Topics in Networks (HotNets-II), November 2003.

[15]

M. Liljenstam and D. Nicol. Comparing passive and active worm defenses. 2004.

[16]

D. Moore, V. Paxson, C. Shannon, G. M. Voelker, and S. Savage. Internet quarantine: Requirements for containing self-propagating code. In Proceedings of IEEE INFOCOM, March 2003.

[17]

D. Moore, S. Savage, C. Shannon, S. Staniford, and N. Weaver. Inside the Slammer worm. IEEE Security and Privacy, July 2003.

Digital Library

[18]

D. Moore, C. Shannon, and J. Brown. Code-Red: a case study on the spread and victims of an internet worm. In Proceedings of ACM/USENIX Internet Measurement Workshop, France, November 2002.

Digital Library

[19]

J. Newsome, B. Karp, and D. Song. Polygraph: Automatically generating signatures for polymorphic worms. In Proceedings of the IEEE Symposium on Security and Privacy, May 2005.

Digital Library

[20]

J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. Technical Report CMU-CS-04-140, Carnegie Mellon University, 2004.

[21]

J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Proceedings of the 12th Annual Network and Distributed Systems Security Symposium, February 2005.

[22]

P. Porras, L. Briesemeister, K. Skinner, K. Levitt, J. Rowe, and Y.-C. A. Ting. A hybrid quarantine defense. In Proceedings of the 2004 ACM Workshop on Rapid Malcode (WORM), Washington, DC, USA, 2004.

Digital Library

[23]

H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh. On the effectiveness of address-space randomization. In Proceedings of the 11th ACM Conference on Computer and Communications Security, October 2004.

Digital Library

[24]

S. Sidiroglou and A. D. Keromytis. Countering network worms through automatic patch generation. In Proceedings of IEEE Symposium on Security and Privacy, 2005.

Digital Library

[25]

S. Singh, C. Estan, G. Varghese, and S. Savage. Automated worm fingerprinting. In Proceedings of the 6th ACM/USENIX Symposium on Operating System Design and Implementation (OSDI), December 2004.

Digital Library

[26]

N. Sovarel, D. Evans, and N. Paul. Where's the feeb? the effectiveness of instruction set randomization. In 14th USENIX Security Symposium, August 2005.

Digital Library

[27]

S. Staniford, V. Paxson, and N. Weaver. How to Own the internet in your spare time. In Proceedings of 11th USENIX Security Symposium, August 2002.

Digital Library

[28]

J. Twycross and M. M. Williamson. Implementing and testing a virus throttle. In Proceedings of 12th USENIX Security Symposium, August 2003.

Digital Library

[29]

M. M. Williamson. Throttling viruses: Restricting propagation to defeat malicious mobile code. In Proceedings of the 18th Annual Computer Security Applications Conference, 2002.

Digital Library

[30]

J. Xu, Z. Kalbarczyk, and R. K. Iyer. Transparent runtime randomization for security. Technical report, Center for Reliable and Higher Performance Computing, University of Illinois at Urbana-Champaign, May 2003.

[31]

C. Zou, W. Gong, D. Towsley, and L. Gao. The monitoring and early detection of internet worms. IEEE/ACM Transaction on Networking, To appear.

Digital Library

[32]

C. Zou, D. Towsley, and W. Gong. On the performance of internet worm scanning strategies. Journal of Performance Evaluation, To appear.

Digital Library

Cited By

Navlakha SHe XFaloutsos CBar-Joseph Z(2014)Topological properties of robust biological and computational networksJournal of The Royal Society Interface10.1098/rsif.2014.028311:96(20140283-20140283)Online publication date: 30-Apr-2014
https://doi.org/10.1098/rsif.2014.0283
Nie XJing JWang Y(2009)A novel contagion-like patch dissemination mechanism against peer-to-peer file-sharing wormsProceedings of the 5th international conference on Information security and cryptology10.5555/1950111.1950141(313-323)Online publication date: 12-Dec-2009
https://dl.acm.org/doi/10.5555/1950111.1950141
Chen ZJi C(2009)An information-theoretic view of network-aware malware attacksIEEE Transactions on Information Forensics and Security10.1109/TIFS.2009.20258474:3(530-541)Online publication date: 1-Sep-2009
https://dl.acm.org/doi/10.1109/TIFS.2009.2025847
Show More Cited By

Index Terms

Design space and analysis of worm defense strategies
1. Computing methodologies
  1. Modeling and simulation
    1. Simulation evaluation
2. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
  2. Systems security
    1. Operating systems security

Recommendations

Worm propagation modeling and analysis under dynamic quarantine defense
WORM '03: Proceedings of the 2003 ACM workshop on Rapid malcode

Due to the fast spreading nature and great damage of Internet worms, it is necessary to implement automatic mitigation, such as dynamic quarantine, on computer networks. Enlightened by the methods used in epidemic disease control in the real world, we ...
Automated detection and containment of worms and viruses into heterogeneous networks: a simple network immune system

While much recent research concentrates on propagation models, the defence against worms is largely an open problem. Classical containment strategies, based on manual application of traffic filters, will be almost totally ineffective in the wide area ...
The Worm Propagation Model and Control Strategy Based on Distributed Honeynet
CSSE '08: Proceedings of the 2008 International Conference on Computer Science and Software Engineering - Volume 03

Considering honeypot host performs high inveiglement to worms and its data control policy--"come in easily, out strictly", this paper presents a worm propagation model based on two-factor model in the network which distributed honeynet have been ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ASIACCS '06: Proceedings of the 2006 ACM Symposium on Information, computer and communications security

March 2006

384 pages

ISBN:1595932720

DOI:10.1145/1128817

Conference Chair:
Ferng-Ching Lin
Executive Yuan, Taiwan
,
General Chairs:
Der-Tsai Lee
Academia Sinica, Taiwan
,
Bao-Shuh Lin
ITRI, Taiwan
,
Program Chairs:
Shiuhpyng Shieh
National Chiao Tung University, Taiwan
,
Sushil Jajodia
George Mason University, USA

Copyright © 2006 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 21 March 2006

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

Asia CCS06

Sponsor:

SIGSAC

Asia CCS06: ACM Symposium on Information, Computer and Communications Security 2006

March 21 - 24, 2006

Taipei, Taiwan

Acceptance Rates

Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

12
Total Citations
View Citations
753
Total Downloads

Downloads (Last 12 months)4
Downloads (Last 6 weeks)1

Reflects downloads up to 27 Jul 2024

Other Metrics

View Author Metrics

Citations

Cited By

Navlakha SHe XFaloutsos CBar-Joseph Z(2014)Topological properties of robust biological and computational networksJournal of The Royal Society Interface10.1098/rsif.2014.028311:96(20140283-20140283)Online publication date: 30-Apr-2014
https://doi.org/10.1098/rsif.2014.0283
Nie XJing JWang Y(2009)A novel contagion-like patch dissemination mechanism against peer-to-peer file-sharing wormsProceedings of the 5th international conference on Information security and cryptology10.5555/1950111.1950141(313-323)Online publication date: 12-Dec-2009
https://dl.acm.org/doi/10.5555/1950111.1950141
Chen ZJi C(2009)An information-theoretic view of network-aware malware attacksIEEE Transactions on Information Forensics and Security10.1109/TIFS.2009.20258474:3(530-541)Online publication date: 1-Sep-2009
https://dl.acm.org/doi/10.1109/TIFS.2009.2025847
Wang FZhang YMa J(2009)Defending passive worms in unstructured P2P networks based on healthy file disseminationComputers and Security10.1016/j.cose.2009.06.00728:7(628-636)Online publication date: 1-Oct-2009
https://dl.acm.org/doi/10.1016/j.cose.2009.06.007
Yang YZhu SCao GJia XShroff NWan P(2008)Improving sensor network immunity under worm attacksProceedings of the 9th ACM international symposium on Mobile ad hoc networking and computing10.1145/1374618.1374640(149-158)Online publication date: 26-May-2008
https://dl.acm.org/doi/10.1145/1374618.1374640
Nunez Y(2008)Maximizing an Organization's Information Security Posture by Distributedly Assessing and Remedying System Vulnerabilities2008 IEEE International Conference on Networking, Sensing and Control10.1109/ICNSC.2008.4525389(1148-1152)Online publication date: Apr-2008
https://doi.org/10.1109/ICNSC.2008.4525389
Tucek JNewsome JLu SHuang CXanthos SBrumley DZhou YSong D(2007)SweeperACM SIGOPS Operating Systems Review10.1145/1272998.127301041:3(115-128)Online publication date: 21-Mar-2007
https://dl.acm.org/doi/10.1145/1272998.1273010
Tucek JNewsome JLu SHuang CXanthos SBrumley DZhou YSong D(2007)SweeperProceedings of the 2nd ACM SIGOPS/EuroSys European Conference on Computer Systems 200710.1145/1272996.1273010(115-128)Online publication date: 21-Mar-2007
https://dl.acm.org/doi/10.1145/1272996.1273010
Guofei Gu Zesheng Chen Porras PLee W(2007)Misleading and defeating importance-scanning malware propagation2007 Third International Conference on Security and Privacy in Communications Networks and the Workshops - SecureComm 200710.1109/SECCOM.2007.4550340(250-259)Online publication date: Sep-2007
https://doi.org/10.1109/SECCOM.2007.4550340
Zesheng Chen Chuanyi Ji (2007)Measuring Network-Aware Worm Spreading AbilityProceedings of the IEEE INFOCOM 2007 - 26th IEEE International Conference on Computer Communications10.1109/INFCOM.2007.22(116-124)Online publication date: 1-May-2007
https://dl.acm.org/doi/10.1109/INFCOM.2007.22
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents